Mass Ransomware Attack by REvil Affects Hundreds of Businesses

Over the holiday weekend, at least 200 U.S. companies and hundreds of Swedish supermarkets suffered from a massive ransomware attack by REvil. 

More than a million systems might have been affected according to the hackers. REvil, the hacking group claiming responsibility and who may or may not have affiliations with the Russian government, demanded $70 million in Bitcoin for a universal decrypter to restore the victims’ data. REvil also caused the extortion cyber-attack on JBS Foods earlier this year, wiping out 20 percent of U.S. beef production. 

According to reports, the hacking group breached IT firm Kaseya using previously unknown vulnerabilities and used its access to penetrate its clients’ networks. However, Kaseya stated that the hackers attacked customers directly, rather than tampering with the Kaseya codebase. The attack prompted President Joe Biden to officially and publicly direct intelligence agencies to investigate the attacks. 

To learn more about the ransomware attack by REvil, we consulted with cybersecurity experts. Here’s what they had to say. 

Mass Ransomware Attack by REvil Affects Hundreds of Businesses

Jim Gogolinski

Jim Gogolinski is the Vice President of Research and Intelligence at iboss. 

“What makes this attack unique is that it may be the first large-scale multi-tiered supply chain-based ransomware attack. REvil took advantage of some zero-days in Kaseya VSA cloud-based software to deliver their ransomware through the MSP providers who use Kaseya to get to their actual victims, thousands of clients of these MSPs. REvil is claiming to have impacted over a million systems with this latest attack. In another first, REvil is asking for the highest reported payment of $70M. This is a change from their initial ask of a large payment from each impacted MSP and then a smaller payment from the actual clients themselves. This attack continues to drive home the point that ransomware groups continue to evolve their TTPs as well as their business plans. Ransomware attacks are increasing in both volume and complexity and companies need to remain vigilant and have a tested plan in place in case they become a victim.”

Tom Garrubba

Tom Garrubba is CISO of Shared Assessments. 

“If ransomware were a TV series this latest incident involving Kaseya VSA would be a great season finale; a ransomware attack affecting a competitor to Solar Winds.

“Organizations must understand that we are in a “soft war” with these RaaS (ransomware as a Service) providers, and we must be expeditiously and continuously diligent on all-forms of IT and cyber hygiene. Everything from application code reviews to patch management, along with methodologies and processes to upgrading network and system components must be incessantly reviewed and any actions needed are immediate.

“It is time for organizations to be proactive in these endeavors and to further ensure their downstream suppliers and vendors and critical partners are doing the same. RaaS providers are to be viewed in the same light as cyber terrorists; whereas organizations need to be right all the time in their IT processes and cyber hygiene, these cyber terrorists need to be right just once to affect many.”

Garret Grajek

Garret Grajek is CEO of YouAttest. 

“The Kaseya attack continues a disturbing trend made publicly known by the Solarwinds attack – that is the ability of the hackers not to just invest a single site – but to successfully integrate their malware into the existing software supply chain – in this case, Kayesa VSP, a MSP security management solution.   It’s important to note – the ransomware is being requested by an affiliate of REvil – which makes these attacks all the more worrisome.  It’s an entire ecosystem of cyber terrorists working against our IT infrastructure.

“The Cybersecurity and Infrastructure Security Agency (CISA)  CISA and the FBI had key recommendations which included backups, MFA (2-Factor) authentication and executing on the Principle of Least Privilege (NIST PR-AC-6) to insure that compromised accounts are not granted excessive and damaging privileges. “Constant vigilance on the privileges of our accounts and changes must be accounted for in a secure environment”, says Garret Grajek CEO of YouAttest, an identity attestation company.”

Thanks to these experts for their time and expertise on the ransomware attack by REvil. For more information on how to protect your business, check out the Endpoint Security Buyer’s Guide.